UnitySync Office 365 login requirements

If you are running any version prior to v4.6, you must upgrade to the latest version to sync with o365.

Connections may be configured to read your O365 directory as a Source, discovering Users, Contacts and/or Groups. These objects may be synced to create contacts in any other supported Destination directory type (Active Directory, O365, etc).

Likewise, connections may be configured sync to your O365 directory as a Destination. When syncing to an O365 Destination, contacts will be created.

1. System Requirements

Ensure your UnitySync server meets the Special Requirements for o365 connections.

2. Required Login information

Source or Dest tab ID:

The specified o365 User account must be:

• A licensed o365 account (Administrator or other custom account created for UnitySync).

• Excluded from any policy requiring Multi Factor Authentication (MFA)

• Enabled.

• Password NOT expired.

ID name format: Use the same login format you would use when logging into O365 on line:

i.e. AdminAccountName@YourDomain.onmicrosoft.com

Password: The password that corresponds to the login ID specified

3. The User must have Permissions to read/write an O365 tenant

We highly recommend use of an O365 Admin account. Microsoft does not make it easy to create a non Admin account with the necessary access for UnitySync to perform the required powershell commands when writing to O365.

Discovery of O365

We highly recommend use of an O365 Admin account. Alternatively, you may assign minimum read access to your UnitySync O356 login ID to be used for O365 Discovery.

• For example, create an unlicensed Office 365 user account without O365 admin rights.

• For view only access to O365, add user to the “View-Only Organization Management” admin role in the Exchange Admin Center. This role should provide UnitySync the rights needed to run the powershell commandlets utilized by UnitySync Discovery.

Discovery, commandlets required:

Get-EXORecipient
Get-DistributionGroupMember

Syncing to O365:

We highly recommend use of an O365 Admin account. Microsoft does not make it easy to create a non Admin account with the necessary access for UnitySync to perform the required powershell commands when writing to O365.

That said, it is possible for a Non Admin account to sync to O365.

Sync, commandlets required:

The following commands are utilized by a UnitySync Sync process:

Remove-DistributionGroup
Remove-MailContact
New-DistributionGroup
New-Contact New-MailContact Set-Group
Set-DistributionGroup
Update-DistributionGroupMember
Set-Contact
Set-MailContact

Additionally, here is an Sample O365 RBAC script to reduce permissions.

IMPORTANT NOTE: This script was provided by a client as a sample script which allowed them to create a non Admin account for UnitySync to sync to o365. Your script may be different depending on your preference and environment. Using the script as an example, you can try to create a custom account with minimal access.

For more detailed information about setting read/write permissions on O365 User accounts, refer to Microsoft tech articles and/or reach out to Microsoft technical support:

Refer to: TechNet Overview of Built-in role groups

Refer to: TechNet View-only Organization Management

Refer to: Permissions in Exchange Online

Refer to: Create an unscoped role

For more information about O365 syncs, please refer to the O365 KB articles and the UnitySync Administrator’s Guide.